sjcl

Stanford Javascript Crypto Library

sjcl downloads sjcl version sjcl license

Search packages..
sjclSimilar Packages:

Npm Package Weekly Downloads Trend

3 Years
🌟 Show real-time usage chart on sjcl's README.md, just copy the code below.
## Usage Trend
[![Usage Trend of sjcl](https://npm-compare.com/img/npm-trend/THREE_YEARS/sjcl.png)](https://npm-compare.com/sjcl#timeRange=THREE_YEARS)

Cumulative GitHub Star Trend

🌟 Show GitHub stars trend chart on sjcl's README.md, just copy the code below.
## GitHub Stars Trend
[![GitHub Stars Trend of sjcl](https://npm-compare.com/img/github-trend/sjcl.png)](https://npm-compare.com/sjcl)

Stat Detail

Package
Downloads
Stars
Size
Issues
Publish
License
sjcl07,2302.24 MB1179 days ago(BSD-2-Clause OR GPL-2.0-only)

README for sjcl

[DEPRECATED] sjcl

Deprecation status

Having not been updated in many years (except to fix one serious vulnerability, described below), sjcl is deprecated. Please do not use it in new projects, and consider instead a more modern alternative.

Build Status

Join the chat at https://gitter.im/bitwiseshiftleft/sjcl

Stanford Javascript Crypto Library

Security Advisories

  • 12.02.2014: the current development version has a paranoia bug in the ecc module. The bug was introduced in commit ac0b3fe0 and might affect ecc key generation on platforms without a platform random number generator.

  • 03.08.2026: According to https://gist.github.com/Kr0emer/2560f98edb10b0b34f2438cd63913c47, sjcl is vulnerable due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The dhJavaEc() function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback. This bug is fixed in SJCL 1.0.9. Thanks to Kr0emer for reporting it, and to the the Snyk security team for relaying this information.

Security Contact

Security Mail: sjcl@ovt.me
OpenPGP-Key Fingerprint: 0D54 3E52 87B4 EC06 3FA9 0115 72ED A6C7 7AAF 48ED
Keyserver: pool.sks-keyservers.net

Upgrade Guide

1.0.3 -> 1.0.4

codecBase32 has been re-enabled with changes to conform to RFC 4648:

  • Padding with = is now applied to the output of fromBits. If you don't want that padding, you can disable it by calling fromBits with a second parameter of true or anything that evaluates as "truthy" in JS
  • The encoding alphabet for sjcl.codec.base32 now matches that specified by the RFC, rather than the extended hex alphabet.
  • The former extended hex alphabet is now available through sjcl.codec.base32hex (also matching the RFC). So if you encoded something with base32 before, you'll want to decode it with base32hex now.

Documentation

The documentation is available here

npm-compare.com is an independent website designed to help developers choose the most suitable npm packages. We are not affiliated with npm, Inc, the official website for the npm registry. Note that npm is a registered trademark of npm, Inc. Please share your feedback via our GitHub repository. For more details, please refer to our Terms & Privacy.